The jboss-ec2-eap package provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2).
With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.12.
Security Fix(es):
It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2016-8656)
It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. (CVE-2016-6816)
An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user’s browser to request the log files consuming enough resources that normal server functioning could be impaired. (CVE-2016-8627)
It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. (CVE-2016-7061)
The CVE-2016-8627 issue was discovered by Darran Lofthouse and Brian Stansberry (Red Hat).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | jboss-ec2-eap | < 7.5.13-1.Final_redhat_2.ep6.el6 | jboss-ec2-eap-7.5.13-1.Final_redhat_2.ep6.el6.noarch.rpm |
RedHat | 6 | noarch | jboss-ec2-eap-samples | < 7.5.13-1.Final_redhat_2.ep6.el6 | jboss-ec2-eap-samples-7.5.13-1.Final_redhat_2.ep6.el6.noarch.rpm |